Logingovs fate in a cyberattack hinges on unproven backups The Register

pThe US governments Logingov identity verification system could be one cyberattack or just a routine IT hiccup away from serious trouble say auditors because it hasnt shown its backup testing policy is actually in use or effectiveppThe US Government Accountability Office reported Tuesday that Logingov which is managed by the federal governments General Services Administration GSA procurement branch has mostly complied with prior recommendations to improve the sevenyearold centralized login service for US citizens Mostly doesnt include any scheme to keep an eye on the state of its data backups however which could be disastrous if they had to be pulled out of storage to restore damaged systems ppYou know like what a backup is supposed to be used for ppThe report says that Logingov does back up its data but did not fully establish and implement policies and procedures regarding testing those backups That means the auditors say they cant be sure that whats backed up is actually sufficient to restore functionality in case of a catastrophic attackppIf Logingovs backup data was not tested to ensure that its integrity was not compromised then it could result in complete loss of data if a breach were to occur the GAO wrote in its report ppIf Logingovs backup data was not tested to ensure that its integrity was not compromised then it could result in complete loss of data if a breach were to occurppGAO IT and cybersecurity director Marisol Cruz Cain told The Register in an email that the backup data referred to in the report was related to Logingov functionality not the personal data of its users ppOfficials told us that the backups pertained to data that are critical to the availability of Logingov Cruz Cain said They also stated that if the data were to be lost it would negatively impact Logingovs core services ppGSA said the lack of full backup testing stemmed from an understaffed security engineering team which wasnt fully staffed until January 2024 GAO noted that while GSA has since established a policy it hasnt shown its been implemented or effectiveppAt the conclusion of our review in June 2025 GSA provided its updated policy for testing Logingovs backup data the GAO report stated However it is not yet evident that the policy has been fully implemented or if it is achieving the intended resultsppUntil GSA actually demonstrates its done what it said itd do Logingov officials will have less assurance that they are consistently and effectively ensuring the integrity and availability of its datappThe recommendation for GSA to get its backup act together is the only one the GAO made in yesterdays report but its not the only problem that auditors have identified at Logingov ppDespite being launched to verify the identities of US citizens accessing digital government services Logingov didnt comply with the National Institute of Standards and Technologys IAL2 identity proofing standards until October 2024 That gap forced multiple federal agencies to lean on thirdparty services like IDme and LexisNexis for higherassurance identity checks that Logingov couldnt yet provideppBetween 2020 and 2023 federal agencies spent around 209 million on commercial identity proofing services because Logingov didnt yet support key capabilities according to the GAOppIn addition to those problems the GAO also issued a report in October of last year on what Cruz Cain said were issues such as cost uncertainty not having realtime visibility into authentications high failure rates and lack of fraud controls among others that still contains two unresolved recommendations ppWhile the aforementioned identity proofing services have been implemented the GAO said that GSA has yet to fully address Logingovs technical challenges and has not yet developed and documented a plan for lessons learned identified in the October report ppGetting those problems fixed could be a job for some of the 18F staffers who helped develop the platform but oops theyve all been fired Hopefully the recently filled security engineering team doesnt get caught up in all those federal government layoffs too ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p